iNeo Skrevet 7. september 2007 Del Skrevet 7. september 2007 Hei. Pappa har fått det nye msn viruset, kan noen skjekke om det kjører i bakgrunnen? Her er loggen! Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2Scan saved at 19:31:26, on 07.09.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\System32\WLTRYSVC.EXE D:\WINDOWS\System32\bcmwltry.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\WLTRAY.exe D:\WINDOWS\RTHDCPL.EXE D:\WINDOWS\system32\igfxtray.exe D:\WINDOWS\system32\hkcmd.exe D:\WINDOWS\system32\igfxpers.exe D:\Programfiler\Synaptics\SynTP\SynTPEnh.exe D:\Programfiler\Winamp\winampa.exe D:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe D:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe D:\Programfiler\Unlocker\UnlockerAssistant.exe D:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe D:\WINDOWS\system32\ctfmon.exe D:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe D:\Programfiler\Windows Media Player\WMPNSCFG.exe D:\Programfiler\DAEMON Tools Pro\DTProAgent.exe D:\DOCUME~1\Einar\LOKALE~1\Temp\RtkBtMnt.exe D:\WINDOWS\System32\svchost.exe D:\Programfiler\Eset\nod32krn.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\wscntfy.exe D:\WINDOWS\system32\wuauclt.exe D:\Programfiler\Internet Explorer\iexplore.exe D:\Programfiler\Trend Micro\HijackThis\HijackThis.exe D:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WLLoginProxy.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sol.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [broadcom Wireless Manager UI] D:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [skyTel] SkyTel.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [AzMixerSel] D:\Programfiler\Realtek\InstallShield\AzMixerSel.exe O4 - HKLM\..\Run: [igfxtray] D:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] D:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] D:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [nod32kui] "D:\Programfiler\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [synTPEnh] D:\Programfiler\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [WinampAgent] D:\Programfiler\Winamp\winampa.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "D:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [unlockerAssistant] "D:\Programfiler\Unlocker\UnlockerAssistant.exe" O4 - HKLM\..\Run: [GrooveMonitor] "D:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [MSN] msnmsgs.exe O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "D:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [WMPNSCFG] D:\Programfiler\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "D:\Programfiler\DAEMON Tools Pro\DTProAgent.exe" O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll O14 - IERESET.INF: START_PAGE_URL=http://www.google.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Programfiler\Eset\nod32krn.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Programfiler\WinPcap\rpcapd.exe O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - D:\Programfiler\Windows Live\installer\WLSetupSvc.exe O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - D:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 5877 bytes Tusen takk til alle som hjelper Lenke til kommentar
norbat Skrevet 7. september 2007 Del Skrevet 7. september 2007 Hei, Ja, ormen kjører så vi gjør følgende: Last ned SDFix til skrivebordet. Dobbeltklikk på SDFix.exe og det vil pakke seg ut til ei mappe i C:\SDFix Restart pc'n i sikker modus (tapp F8 under oppstart, velg sikker modus) Åpne SDFix-mappa og dobbeltklikk på 'RunThis.bat' for å starte programmet Velg Y for å starte rensingen Pc'n vil restarte, og SDFix vil fortsette. Post ny HJT-logg + loggen fra SDFix (vil ligge som Report.txt i SDFix-mappa). Lenke til kommentar
iNeo Skrevet 7. september 2007 Forfatter Del Skrevet 7. september 2007 Pcen vill ikke starte i sikkerhetsmodus. Lenke til kommentar
norbat Skrevet 7. september 2007 Del Skrevet 7. september 2007 Vi prøver en annen vri: Hent Combofix, og legg det på skrivebordet Kjør combofix.exe, og følg veiledningen. Du må ikke klikke på vinduet mens programmet kjører. Post loggfilen fra combofix (vanligvis c:\combofix.txt) + ny hjt-logg (Hva skjer når du trykker F8 og velger sikkermodus?) Lenke til kommentar
iNeo Skrevet 7. september 2007 Forfatter Del Skrevet 7. september 2007 Vi prøver en annen vri: Hent Combofix, og legg det på skrivebordet Kjør combofix.exe, og følg veiledningen. Du må ikke klikke på vinduet mens programmet kjører. Post loggfilen fra combofix (vanligvis c:\combofix.txt) + ny hjt-logg (Hva skjer når du trykker F8 og velger sikkermodus?) 9448482[/snapback] Filene som skal lastes inn lastes, så kommer det en "_" (underscore) som står å blinker. Slik som i "cmd" når du ikke skriver. Altså skjermen blir svart, så kommer den underlinjen og blinker. Lenke til kommentar
iNeo Skrevet 7. september 2007 Forfatter Del Skrevet 7. september 2007 (endret) Her er combofix loggen Dere trenger ikke diskutere enkelte emner som står i loggen. (Tenker på fyfy tingene , og ja, det er min fars PC.) Klikk for å se/fjerne innholdet nedenfor ComboFix 07-09-08 - "Einar" 2007-09-07 21:53:19.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.618 [GMT 2:00] * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . D:\WINDOWS\images.zip D:\WINDOWS\system32\Desktop_.ini ((((((((((((((((((((((((( Files Created from 2007-08-08 to 2007-09-08 ))))))))))))))))))))))))))))))) . 2007-09-07 21:52 51,200 --a------ D:\WINDOWS\NirCmd.exe 2007-09-07 21:33 <DIR> d--hs---- D:\FOUND.006 2007-09-07 19:45 <DIR> d-------- D:\Programfiler\RealVNC 2007-09-07 01:22 47,036 --a------ D:\WINDOWS\system32\SSL.exe 2007-09-06 17:37 <DIR> d-------- D:\Programfiler\Trend Micro 2007-09-03 16:44 <DIR> d--hs---- D:\FOUND.005 2007-08-31 07:38 <DIR> d--hs---- D:\FOUND.004 2007-08-26 11:57 <DIR> d-------- D:\DOCUME~1\Einar\PROGRA~1\Opera 2007-08-24 15:38 <DIR> d--hs---- D:\FOUND.003 2007-08-23 11:28 <DIR> d--hs---- D:\FOUND.002 2007-08-22 13:30 <DIR> d-------- D:\Programfiler\WinPcap 2007-08-22 13:29 <DIR> d-------- D:\Programfiler\Cain 2007-08-20 12:19 <DIR> d-------- D:\Programfiler\Opera 2007-08-20 12:16 <DIR> d-------- D:\Kill.Buljo.The.Movie.2007.NORWEGIAN.PAL.DVDR-SAN 2007-08-20 12:15 <DIR> d-------- D:\VIDEO_TS 2007-08-19 23:30 <DIR> d-------- D:\Programfiler\Frets on Fire 2007-08-19 22:41 5,504 --a------ D:\WINDOWS\system32\drivers\MSTEE.sys 2007-08-19 22:41 5,504 --a------ D:\WINDOWS\system32\dllcache\mstee.sys 2007-08-19 22:41 15,360 --a------ D:\WINDOWS\system32\drivers\StreamIP.sys 2007-08-19 22:41 15,360 --a------ D:\WINDOWS\system32\dllcache\streamip.sys 2007-08-19 22:41 10,880 --a------ D:\WINDOWS\system32\drivers\NdisIP.sys 2007-08-19 22:41 10,880 --a------ D:\WINDOWS\system32\dllcache\ndisip.sys 2007-08-19 20:18 <DIR> d-------- D:\Programfiler\Broadcom 2007-08-16 21:07 221,184 --a------ D:\WINDOWS\system32\wmpns.dll 2007-08-13 11:53 <DIR> d--hs---- D:\FOUND.001 2007-08-10 23:17 32,592 --a------ D:\WINDOWS\system32\msonpmon.dll 2007-08-10 23:11 <DIR> d-------- D:\Programfiler\MSBuild 2007-08-10 23:11 <DIR> d-------- D:\Programfiler\Microsoft Works 2007-08-10 23:05 <DIR> d-------- D:\WINDOWS\SHELLNEW 2007-08-10 23:04 <DIR> dr-h----- D:\MSOCache 2007-08-10 23:04 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\PROGRA~1\Microsoft Help 2007-08-10 22:58 <DIR> d--hs---- D:\FOUND.000 2007-08-10 22:54 94,208 --a------ D:\cryptapi.dll 2007-08-10 22:50 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\PROGRA~1\DAEMON Tools Pro 2007-08-10 22:49 <DIR> d-------- D:\Programfiler\DAEMON Tools Pro 2007-08-10 22:49 <DIR> d-------- D:\DOCUME~1\Einar\PROGRA~1\DAEMON Tools Pro 2007-08-10 22:47 685,816 --a------ D:\WINDOWS\system32\drivers\sptd.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-07-30 19:19 92504 --a------ D:\WINDOWS\system32\dllcache\cdm.dll 2007-07-30 19:19 92504 --a------ D:\WINDOWS\system32\cdm.dll 2007-07-30 19:19 549720 --a------ D:\WINDOWS\system32\wuapi.dll 2007-07-30 19:19 549720 --a------ D:\WINDOWS\system32\dllcache\wuapi.dll 2007-07-30 19:19 53080 --a------ D:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 53080 --a------ D:\WINDOWS\system32\dllcache\wuauclt.exe 2007-07-30 19:19 43352 --a------ D:\WINDOWS\system32\wups2.dll 2007-07-30 19:19 325976 --a------ D:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19 325976 --a------ D:\WINDOWS\system32\dllcache\wucltui.dll 2007-07-30 19:19 203096 --a------ D:\WINDOWS\system32\wuweb.dll 2007-07-30 19:19 203096 --a------ D:\WINDOWS\system32\dllcache\wuweb.dll 2007-07-30 19:19 1712984 --a------ D:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:19 1712984 --a------ D:\WINDOWS\system32\dllcache\wuaueng.dll 2007-07-30 19:18 33624 --a------ D:\WINDOWS\system32\wups.dll 2007-07-30 19:18 33624 --a------ D:\WINDOWS\system32\dllcache\wups.dll 2007-07-26 18:25 --------- d-------- D:\Programfiler\Winamp 2007-07-26 18:20 --------- d-------- D:\DOCUME~1\EINAR\PROGRA~1\vlc 2007-07-26 18:17 --------- d-------- D:\Programfiler\VideoLAN 2007-07-26 18:17 --------- d-------- D:\DOCUME~1\EINAR\PROGRA~1\dvdcss 2007-07-19 08:58 3583488 --a------ D:\WINDOWS\system32\dllcache\mshtml.dll 2007-07-13 01:32 765952 --a------ D:\WINDOWS\system32\dllcache\vgx.dll 2007-07-08 11:09 --------- d-------- D:\Programfiler\Windows Live 2007-07-08 11:09 --------- d-------- D:\DOCUME~1\ALLUSE~1\PROGRA~1\WLInstaller 2007-07-08 11:09 --------- d-------- D:\DOCUME~1\ALLUSE~1\PROGRA~1\WindowsLiveInstaller 2007-07-07 22:46 298104 --a------ D:\WINDOWS\system32\imon.dll 2007-06-29 02:01 88696 --a------ D:\WINDOWS\system32\Packet.dll 2007-06-29 02:01 68224 --a------ D:\WINDOWS\system32\WanPacket.dll 2007-06-29 02:01 53299 --a------ D:\WINDOWS\system32\pthreadVC.dll 2007-06-29 02:01 240240 --a------ D:\WINDOWS\system32\wpcap.dll 2007-06-27 16:13 823808 --a------ D:\WINDOWS\system32\dllcache\wininet.dll 2007-06-27 16:13 671232 --a------ D:\WINDOWS\system32\dllcache\mstime.dll 2007-06-27 16:13 477696 --a------ D:\WINDOWS\system32\dllcache\mshtmled.dll 2007-06-27 16:13 232960 --a------ D:\WINDOWS\system32\dllcache\webcheck.dll 2007-06-27 16:13 193024 --a------ D:\WINDOWS\system32\dllcache\msrating.dll 2007-06-27 16:13 1152000 --a------ D:\WINDOWS\system32\dllcache\urlmon.dll 2007-06-27 16:13 105984 --a------ D:\WINDOWS\system32\dllcache\url.dll 2007-06-27 16:13 102400 --a------ D:\WINDOWS\system32\dllcache\occache.dll 2007-06-27 16:12 6058496 --------- D:\WINDOWS\system32\dllcache\ieframe.dll 2007-06-27 16:12 52224 --------- D:\WINDOWS\system32\dllcache\msfeedsbs.dll 2007-06-27 16:12 459264 --------- D:\WINDOWS\system32\dllcache\msfeeds.dll 2007-06-27 16:12 44544 --a------ D:\WINDOWS\system32\dllcache\iernonce.dll 2007-06-27 16:12 27648 --a------ D:\WINDOWS\system32\dllcache\jsproxy.dll 2007-06-27 16:12 267776 --------- D:\WINDOWS\system32\dllcache\iertutil.dll 2007-06-27 16:11 384512 --a------ D:\WINDOWS\system32\dllcache\iedkcs32.dll 2007-06-27 16:11 383488 --------- D:\WINDOWS\system32\dllcache\ieapfltr.dll 2007-06-27 16:11 230400 --a------ D:\WINDOWS\system32\dllcache\ieaksie.dll 2007-06-27 16:11 153088 --a------ D:\WINDOWS\system32\dllcache\ieakeng.dll 2007-06-27 16:11 132608 --a------ D:\WINDOWS\system32\dllcache\extmgr.dll 2007-06-27 16:11 124928 --a------ D:\WINDOWS\system32\dllcache\advpack.dll 2007-06-27 15:54 317440 --a------ D:\WINDOWS\system32\dllcache\unregmp2.exe 2007-06-27 10:29 625152 --a------ D:\WINDOWS\system32\dllcache\iexplore.exe 2007-06-27 10:27 63488 --a------ D:\WINDOWS\system32\dllcache\ie4uinit.exe 2007-06-27 10:27 13824 --------- D:\WINDOWS\system32\dllcache\ieudinit.exe 2007-06-27 09:00 161792 --a------ D:\WINDOWS\system32\dllcache\ieakui.dll 2007-06-26 08:08 1104896 --a------ D:\WINDOWS\system32\msxml3.dll 2007-06-26 08:08 1104896 --a------ D:\WINDOWS\system32\dllcache\msxml3.dll 2007-06-19 15:42 282112 --a------ D:\WINDOWS\system32\gdi32.dll 2007-06-19 15:42 282112 --a------ D:\WINDOWS\system32\dllcache\gdi32.dll 2007-06-13 15:24 1033216 --a------ D:\WINDOWS\system32\dllcache\explorer.exe 2007-06-13 15:24 1033216 --a------ D:\WINDOWS\explorer.exe 2007-06-11 23:51 10834944 --a------ D:\WINDOWS\system32\dllcache\wmp.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Broadcom Wireless Manager UI"="D:\WINDOWS\system32\WLTRAY.exe" [2005-11-11 20:40] "RTHDCPL"="RTHDCPL.EXE" [2006-08-16 11:23 D:\WINDOWS\RTHDCPL.exe] "SkyTel"="SkyTel.EXE" [2006-08-16 11:21 D:\WINDOWS\SkyTel.exe] "AzMixerSel"="D:\Programfiler\Realtek\InstallShield\AzMixerSel.exe" [2006-08-16 11:20] "igfxtray"="D:\WINDOWS\system32\igfxtray.exe" [2006-03-23 12:17] "igfxhkcmd"="D:\WINDOWS\system32\hkcmd.exe" [2006-03-23 12:13] "igfxpers"="D:\WINDOWS\system32\igfxpers.exe" [2006-03-23 12:17] "nod32kui"="D:\Programfiler\Eset\nod32kui.exe" [2007-07-07 22:46] "SynTPEnh"="D:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 13:07] "WinampAgent"="D:\Programfiler\Winamp\winampa.exe" [2007-05-15 00:22] "Adobe Reader Speed Launcher"="D:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] "SunJavaUpdateSched"="D:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00] "UnlockerAssistant"="D:\Programfiler\Unlocker\UnlockerAssistant.exe" [2006-09-07 19:19] "GrooveMonitor"="D:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03] "MsnMsgr"="D:\Programfiler\Windows Live\Messenger\MsnMsgr.exe" [2007-05-17 13:11] "WMPNSCFG"="D:\Programfiler\Windows Media Player\WMPNSCFG.exe" [2006-11-15 10:46] "DAEMON Tools Pro Agent"="D:\Programfiler\DAEMON Tools Pro\DTProAgent.exe" [2007-06-22 14:45] S3 NPF;NetGroup Packet Filter Driver;D:\WINDOWS\system32\drivers\npf.sys *Newly Created Service* - CATCHME . ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-08 21:54:32 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-08 21:55:10 D:\ComboFix-quarantined-files.txt ... 2007-09-08 21:55 . --- E O F --- Og her er hijackthis loggen Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2Scan saved at 21:57:09, on 08.09.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\System32\WLTRYSVC.EXE D:\WINDOWS\System32\bcmwltry.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\system32\WLTRAY.exe D:\WINDOWS\RTHDCPL.EXE D:\WINDOWS\system32\igfxtray.exe D:\WINDOWS\system32\hkcmd.exe D:\WINDOWS\system32\igfxpers.exe D:\Programfiler\Eset\nod32kui.exe D:\Programfiler\Synaptics\SynTP\SynTPEnh.exe D:\Programfiler\Winamp\winampa.exe D:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe D:\Programfiler\Unlocker\UnlockerAssistant.exe D:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe D:\WINDOWS\system32\ctfmon.exe D:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe D:\Programfiler\Windows Media Player\WMPNSCFG.exe D:\Programfiler\DAEMON Tools Pro\DTProAgent.exe D:\DOCUME~1\Einar\LOKALE~1\Temp\RtkBtMnt.exe D:\WINDOWS\System32\svchost.exe D:\Programfiler\Eset\nod32krn.exe D:\WINDOWS\system32\svchost.exe D:\Programfiler\RealVNC\VNC4\WinVNC4.exe D:\WINDOWS\system32\wscntfy.exe D:\Programfiler\Internet Explorer\iexplore.exe D:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WLLoginProxy.exe D:\WINDOWS\explorer.exe D:\WINDOWS\system32\notepad.exe D:\Programfiler\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sol.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [broadcom Wireless Manager UI] D:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [skyTel] SkyTel.EXE O4 - HKLM\..\Run: [AzMixerSel] D:\Programfiler\Realtek\InstallShield\AzMixerSel.exe O4 - HKLM\..\Run: [igfxtray] D:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] D:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] D:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [nod32kui] "D:\Programfiler\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [synTPEnh] D:\Programfiler\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [WinampAgent] D:\Programfiler\Winamp\winampa.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "D:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [unlockerAssistant] "D:\Programfiler\Unlocker\UnlockerAssistant.exe" O4 - HKLM\..\Run: [GrooveMonitor] "D:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "D:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [WMPNSCFG] D:\Programfiler\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "D:\Programfiler\DAEMON Tools Pro\DTProAgent.exe" O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll O14 - IERESET.INF: START_PAGE_URL=http://www.google.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Programfiler\Eset\nod32krn.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Programfiler\WinPcap\rpcapd.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - D:\Programfiler\RealVNC\VNC4\WinVNC4.exe O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - D:\Programfiler\Windows Live\installer\WLSetupSvc.exe O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - D:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 5928 bytes Endret 7. september 2007 av Tt.mrX Lenke til kommentar
norbat Skrevet 7. september 2007 Del Skrevet 7. september 2007 (endret) Se om du i prosesslisten har en prosess som heter msnmsgs.exe Hvis, avslutt den. Kjør hjt og fix følgende linje: O4 - HKLM\..\Run: [MSN] msnmsgs.exe Bruk utforsker, og se om du finner fila msnmsgs.exe Søk evt. se om den ligger på følgende sted: C:\Program Files\MSN\msnmsgs.exe Installer SAS og kjør en full scan. Post loggen fra SAS + ny hjt-logg EDIT: Din siste hjt-logg ser fin ut den, så dette ser jo bra ut Det skader imidlertid ikke å kjøre en full scan med SAS. Endret 7. september 2007 av norbat Lenke til kommentar
iNeo Skrevet 7. september 2007 Forfatter Del Skrevet 7. september 2007 Hadde du sett i loggen hadde du sett at den ikke kjører. Og det bekrefter jeg nå at den ikke gjør. Lenke til kommentar
norbat Skrevet 7. september 2007 Del Skrevet 7. september 2007 Vi skrev litt forbi hverandre Lenke til kommentar
iNeo Skrevet 7. september 2007 Forfatter Del Skrevet 7. september 2007 Vi skrev litt forbi hverandre 9448649[/snapback] Jeg fant jeg fant! Jeg har Windows XP på D:\, MEN jeg fant msnmsgs.exe på C:\ i Windows mappa. Ser ut som om viruset er ment for å ta C:\windows istedet for å ta den windows mappa som er den som blir brukt (bruker da D:\windows, ikke C:\windows) Veldig knotete forklart menne... Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå